← Back to blog

pip Regression Fix: urllib3 Decompression DoS Vulnerability Patched

Ubuntu released USN-8344-3 to address a regression introduced in the previous pip security update, while fully resolving a critical urllib3 streaming decompression vulnerability. The flaw could allow remote attackers to trigger denial-of-service conditions through resource exhaustion.

TL;DR

  • USN-8344-1 pip update introduced a regression now fixed in USN-8344-3
  • Root cause: urllib3 library improperly handled streaming decompression of highly compressed data
  • Remote attackers could exploit the flaw to cause excessive resource consumption and DoS
  • CVE-2025-66471 affects pip's bundled urllib3 library
  • Ubuntu users should apply the complete fix immediately

Ubuntu released security update USN-8344-3 to resolve both a regression introduced in the previous pip patch and the underlying urllib3 vulnerability it was meant to address. The original advisory identified a critical flaw in pip's bundled urllib3 library that improperly handled streaming decompression of highly compressed data, creating a denial-of-service vector.

The vulnerability allows remote attackers to craft malicious compressed payloads that force pip to consume excessive system resources, potentially rendering affected systems unresponsive. This update provides a complete remediation, ensuring both the original vulnerability and the regression from USN-8344-1 are fully resolved.

Development teams relying on pip for package management should prioritize applying this update to maintain secure dependency resolution workflows.

Vulnerability Details

  • CVE-2025-66471 affects urllib3 library bundled with pip
  • Improper handling of streaming decompression in highly compressed data
  • Remote attackers can trigger excessive resource consumption
  • Denial-of-service condition possible without authentication
  • Affects pip's ability to safely download and decompress packages

Update and Remediation

  • USN-8344-1 introduced a regression requiring immediate follow-up patch
  • USN-8344-3 provides complete fix for both regression and original vulnerability
  • Ubuntu users should apply the update to all affected systems
  • Recommended for development environments and CI/CD pipelines using pip
  • No workarounds available; patching is the only mitigation

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

pip Regression Fix: urllib3 Decompression DoS Vulnerability Patched — Agent Breach Blog | Agent Breach